This blog post demonstrates, how an OpenSSH key can be imported to Amazon platform, how to verify fingerprints, and how to use the keys on a CloudFormation EC2 instance.
This blog post uses aws-must-templates to create “a VPC with a public subnet and private subnet, and a network address translation (NAT) instance in the public subnet” similar to scenario 2 in Amazon VPC documentation. Focus is in describing steps needed to setup the environment, to create the stack, and to test the provisioned result on Amazon platform.
Amazon Web Service uses Security Group to act as a virtual firewall that controls the traffic for one or more instances. According to Amazon documentation “rules from each security group are effectively aggregated to create one set of rules”. For a better support in RSPEC to validate AWS Security Group Rules, we need to extend the built-in include matcher. The built-in include matcher works fine for validating that an implemented rule satisfies an expected rule, but needs to be extended to validate that a set of rules satisfy a given specification.
This post first demonstrates, how RSPEC built-in include matcher works in validating one rule, and presents an extension for validating a set of rules.
Amazon EC2 Instance IP Addressing sets several challenges for SSH usage, and for any tool using SSH connections:
- Amazon public DNS names encode public IP addresses. Each time an instance is assigned a new public IP address, it also gets a new public DNS name. In essence this means that the task of managing Amazon Public DNS names becomes comparable to the task of managing IP addresses.
- Using an IP address to contact an instance is complicated, because public IP Address, once released, cannot be reused. Using fixed IP addresses, such as Amazon Elastic-Ip Address, requires keeping track of reserved address, and comes with extra costs.
- EC2 instances, with only a private IP address, cannot be reached directly from the Internet.
- Private DNS names also encode the IP address they map to. On top of that, private DNS names cannot resolved outside the cloud network of the instance.
This post presents an idea to solve the challenges listed above. In short, we synchronize Amazon EC2 instance metadata automatically in OpenSSH Client Configuration file allowing SSH connections to be established using names stored in EC2 Tags. We give an example, and use it to introduce a tool, called aws-ssh-resolver, implementing the idea.
AWS CloudFormation gives developers and systems administrators an easy way to create a collection of related AWS resources and provision them on Amazon Platform. In order to make AWS infrastructure management even more efficient and manageable, aws-must-templates adds Template Generator and Test Runner to the set of available tools for an AWS administrator.
This blog entry goes trough a scenario starting with installation of aws-must-templates, continuing with creation an AWS infrastructure, and ending with testing of the infrastructure.